SELinux Object Classes and Permissions Reference

This document contains a list of all of the object classes and permissions for modern SELinux systems (starting in kernel 2.6.0). Each permission has a brief description of of the semantics of each permission, in addition to the versions of the kernel which support the permission and the policy capability that enables its enforcement (if applicable).

The document has the following caveats:

The permission descriptions are only for providing a general idea of the purposes of the permissions; a permission may mediate many operations.

Since SELinux development is ongoing, this document may be be incomplete or inaccurate.

Common Permission Sets

common database

Permission

Description

create

Create a new database object.

drop

Remove a database object.

getattr

Get the attributes of a database object.

setattr

Set the attributes of a database object.

relabelfrom

Change the security context based on existing type.

relabelto

Change the security context based on the new type.

common file

Permission

Description

getattr

Get file attributes for block file, such as access mode. (e.g. stat, some ioctls. ...)